[widgets] Making config.xml mandatory
Opera would like to make the config file in widgets packages mandatory. Our rationale is that having at least one config.xml file at the root of the widget give a sure way to identify a zip archive as a widget; otherwise arbitrary zip packages with an index.html could be fed to a widget engine and would run with the security privileges of a widget. Kind regards, Marcos -- Marcos Caceres http://datadriven.com.au
RE: [widgets] Making config.xml mandatory
Dear Marcos, Which different security privileges does a widget have in comparison to any other content? Doesn't it depend on a security policy that we do not define in the W3C? Best Regards, Rainer * T-Mobile International Terminal Technology Rainer Hillebrand Head of Terminal Security Landgrabenweg 151, D-53227 Bonn Germany +49 171 5211056 (My T-Mobile) +49 228 936 13916 (Tel.) +49 228 936 18406 (Fax) E-Mail: rainer.hillebr...@t-mobile.net http://www.t-mobile.net This e-mail and any attachment are confidential and may be privileged. If you are not the intended recipient, notify the sender immediately, destroy all copies from your system and do not disclose or use the information for any purpose. Diese E-Mail inklusive aller Anhänge ist vertraulich und könnte bevorrechtigtem Schutz unterliegen. Wenn Sie nicht der beabsichtigte Adressat sind, informieren Sie bitte den Absender unverzüglich, löschen Sie alle Kopien von Ihrem System und veröffentlichen Sie oder nutzen Sie die Information keinesfalls, gleich zu welchem Zweck. T-Mobile International AG Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman) Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276 Steuer-Nr./Tax No.: 205 / 5777/ 0518 USt.-ID./VAT Reg.No.: DE189669124 Sitz der Gesellschaft/ Corporate Headquarters: Bonn
RE: [widgets] Making config.xml mandatory
Marcos, As mentioned in the F2F, this is one of the reasons you can see why you need to look at defining content types more closely - you need to decide what a widget 'is' otherwise we're potentially in trouble. I agree with Rainer's point about policy. Thanks, David. -Original Message- From: public-webapps-requ...@w3.org [mailto:public-webapps-requ...@w3.org] On Behalf Of Marcos Caceres Sent: 09 March 2009 12:36 To: public-webapps Subject: [widgets] Making config.xml mandatory Opera would like to make the config file in widgets packages mandatory. Our rationale is that having at least one config.xml file at the root of the widget give a sure way to identify a zip archive as a widget; otherwise arbitrary zip packages with an index.html could be fed to a widget engine and would run with the security privileges of a widget. Kind regards, Marcos -- Marcos Caceres http://datadriven.com.au No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 270.11.9/1990 - Release Date: 03/08/09 17:17:00
RE: [widgets] Making config.xml mandatory
Dear Marcos, We already have defined two parameters that identify a zip archive as a widget resource: a) The content type in a server's response. b) The file extension for a widget resource that is distributed on memory cards for instance. Roughly thinking, I have the impression that this is sufficient. In case of a missing config.xml all default configuration settings should apply to such a widget resource. Best Regards, Rainer * T-Mobile International Terminal Technology Rainer Hillebrand Head of Terminal Security Landgrabenweg 151, D-53227 Bonn Germany +49 171 5211056 (My T-Mobile) +49 228 936 13916 (Tel.) +49 228 936 18406 (Fax) E-Mail: rainer.hillebr...@t-mobile.net http://www.t-mobile.net This e-mail and any attachment are confidential and may be privileged. If you are not the intended recipient, notify the sender immediately, destroy all copies from your system and do not disclose or use the information for any purpose. Diese E-Mail inklusive aller Anhänge ist vertraulich und könnte bevorrechtigtem Schutz unterliegen. Wenn Sie nicht der beabsichtigte Adressat sind, informieren Sie bitte den Absender unverzüglich, löschen Sie alle Kopien von Ihrem System und veröffentlichen Sie oder nutzen Sie die Information keinesfalls, gleich zu welchem Zweck. T-Mobile International AG Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman) Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276 Steuer-Nr./Tax No.: 205 / 5777/ 0518 USt.-ID./VAT Reg.No.: DE189669124 Sitz der Gesellschaft/ Corporate Headquarters: Bonn
Re: [widgets] Making config.xml mandatory
On 3/9/09 2:19 PM, David Rogers wrote: Marcos, As mentioned in the F2F, this is one of the reasons you can see why you need to look at defining content types more closely - you need to decide what a widget 'is' otherwise we're potentially in trouble. I agree with Rainer's point about policy. Well, this change defines a widget as: * zip file * has one config at root * config file has at least one tag () * tag MUST be in widget namespace. * has one start file (either a default) To complement the above, on the Web, a widget is also identified by its media type (applicaiton/widget) and on disk by its file extension (.wgt). That's a widget :) Kind regards, Marcos
Re: [widgets] Making config.xml mandatory
On Mon, 09 Mar 2009 14:12:38 +0100, Hillebrand, Rainer wrote: Which different security privileges does a widget have in comparison to any other content? Doesn't it depend on a security policy that we do not define in the W3C? While this is not yet defined by the W3C or other organizations, pre-existing implementations do indeed have different privileges: 1. Commonly, widget runtimes may ignore the same-origin policy that browsers have used 2. Some legacy implementations essentially have shell access, and bundle a set of Gnu (or gnu-like) tools 3. Filesystem access 4. Extended device API work is ongoing, such as OMTP's initiative -- Arve Bersvendsen Developer, Opera Software ASA, http://www.opera.com/
RE: [widgets] Making config.xml mandatory
Dear Arve, Good point regarding OMTP/BONDI. BONDI supports a security framework for widgets and "web pages" (or non-widgets). On the other, if widgets in pre-existing implementations may use sensitive resources then I as an attacker would pack my rogue content in a widget resource, add the config.xml file and run my attack. In other words, the config.xml file does not prevent any attack. I agree with you that the config.xml file already supports security relevant features, like . However, as long as we do not have any means to check whether a widget user agent could trust a widget and that it does not misuse the network access, then a widget user agent must always allow this network access. If the config.xml file is the major means to identify a zip archive as widget resource then we will not need to define the file extension "wgt" and the MIME type application/widget. IMHO, I do not see the config.xml as a security solution. I would agree with you that it might be required to define settings that do not have default values. Do we have such settings? Best Regards, Rainer * T-Mobile International Terminal Technology Rainer Hillebrand Head of Terminal Security Landgrabenweg 151, D-53227 Bonn Germany +49 171 5211056 (My T-Mobile) +49 228 936 13916 (Tel.) +49 228 936 18406 (Fax) E-Mail: rainer.hillebr...@t-mobile.net http://www.t-mobile.net This e-mail and any attachment are confidential and may be privileged. If you are not the intended recipient, notify the sender immediately, destroy all copies from your system and do not disclose or use the information for any purpose. Diese E-Mail inklusive aller Anhänge ist vertraulich und könnte bevorrechtigtem Schutz unterliegen. Wenn Sie nicht der beabsichtigte Adressat sind, informieren Sie bitte den Absender unverzüglich, löschen Sie alle Kopien von Ihrem System und veröffentlichen Sie oder nutzen Sie die Information keinesfalls, gleich zu welchem Zweck. T-Mobile International AG Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman) Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276 Steuer-Nr./Tax No.: 205 / 5777/ 0518 USt.-ID./VAT Reg.No.: DE189669124 Sitz der Gesellschaft/ Corporate Headquarters: Bonn
Re: [widgets] Making config.xml mandatory
I think the TAG's finding on authoritative metadata is germane here; http://www.w3.org/2001/tag/doc/mime-respect Mark. On Mon, Mar 9, 2009 at 8:36 AM, Marcos Caceres wrote: > Opera would like to make the config file in widgets packages > mandatory. Our rationale is that having at least one config.xml file > at the root of the widget give a sure way to identify a zip archive as > a widget; otherwise arbitrary zip packages with an index.html could be > fed to a widget engine and would run with the security privileges of a > widget. > > Kind regards, > Marcos > > -- > Marcos Caceres > http://datadriven.com.au > >
Re: [widgets] Making config.xml mandatory
On 3/10/09 3:48 PM, Mark Baker wrote: I think the TAG's finding on authoritative metadata is germane here; http://www.w3.org/2001/tag/doc/mime-respect That only applies to widgets that acquired over HTTP. Widgets can come from any source, include those that know nothing of media types. Nonetheless, media types are respected when a widget is acquired over HTTP (see Step 1 in P&C spec [1] to see if we have spec'd it correctly). Kind regards, Marcos [1] http://dev.w3.org/2006/waf/widgets/#step-1--acquire-a-potential-zip-archive
